Free Resources

PCI Compliance Overview

PCI compliance refers to meeting and adhering to the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies — Visa®, MasterCard®, Discover®, American Express® and JCB International®. PCI DSS lays out for all merchants who process, store or transmit credit, debit or prepaid card information the steps to take to maintain a secure transaction environment.

As a leader in secure electronic payments, TransFirst® supports and promotes PCI compliance with a program that provides a number of services that help merchants become and remain compliant, even as PCI DSS requirements change.

PCI Compliance Program Components

The TransFirst PCI Compliance Program consists of several important and comprehensive components:

Our online Self-Assessment Questionnaire (SAQ) is an intuitive and easy-to-use tool with picture-driven qualification steps that helps merchants easily determine their Validation Type. It is supplemented with expert help text and real-life examples.

A set of custom security policies, powered by the Unified Compliance Framework (UCF), and policy templates that are automatically generated based on how merchants process payment cards provide an individualized approach to compliance.

Protection for Merchants and Customers

It’s important to understand that while PCI compliance is an important protection for both merchants and cardholders, there is no law requiring it. However, PCI compliance is a contractual obligation between merchants and the major card brands.

Although the PCI Security Standards Council does not impose consequences for non-compliance with PCI DSS, the individual payment brands can and do impose fines and/or operational sanctions that could be disastrous for your bottom line and your reputation with acquirers, payment brands and customers. Additionally, several states already have PCI compliance laws on their books, and more are expected to follow.

PCI compliance is not an expensive proposition or one that requires a great deal of effort on the part of the merchant; it is a great investment in security and peace of mind. TransFirst stands ready to instruct and support our merchants in that investment. Knowing what PCI compliance is and how to achieve it is vital to the future of your business on a number of different levels, so we provide in depth information on our exclusive Compliance101.com website.

PCI Compliance Basics

On the surface, mandatory PCI compliance may seem complicated, even burdensome or intrusive on the way you run your business. But think of it this way: PCI compliance equates with security for both you and your customers. Isn’t a little effort and diligence on your part a small price to pay for peace of mind when your livelihood is at stake?

At TransFirst, we understand the ins and outs of PCI security compliance and are ready to help with services to ensure that your credit card processing meets all the established criteria.

The comprehensive operational and technical requirements laid out in the PCI DSS establish consistent measures for data security management, policies and procedures, network architecture and software design. Businesses and small merchants are required to process, store and transmit cardholder data (cardholder name, account number, service code and expiration date) as well as sensitive authentication data (magnetic stripe or chip data, CVV code and PINs) in compliance with these requirements so that it is kept private and secure.

Since online transaction and credit card fraud continue to be major threats to businesses, PCI compliance is crucial. That’s why it’s required of all entities with a Merchant ID (MID), from the largest big-box stores to the smallest mom-and-pop shops and everything in between. Additionally, all “players” in the credit card payment chain must be PCI compliant, including payment service providers like TransFirst, banks and hosting providers.

Ongoing Process

It’s important to realize that PCI compliance is an ongoing process, not a one-time event in your business life. Consider it a series of common sense, “best practices” steps that all merchants should follow as part of their security strategy. The three steps for adhering to the PCI DSS as outlined by the PCI SSC are:

Assess by identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.

Remediate by fixing vulnerabilities and not storing cardholder data unless you need it.

Report by compiling and submitting required remediation validation records (if applicable) and submitting compliance reports to the acquiring bank and card brands with which you do business.

PCI Compliance Requirements

Check with your payment brand or merchant account provider for the exact PCI security compliance requirements for your company or business. TransFirst provides information about PCI compliance requirements in general only.

Understanding the basis for PCI DSS will go a long way towards dispelling any concerns you may have about the process. Fundamentally, PCI DSS establishes six basic principles:

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Protect cardholder data.

Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software.

Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Maintain an Information Security Policy

Establish and maintain a policy to address information security.

Four Levels of PCI Compliance

There are four levels of PCI compliance; your level is determined by the number of electronic transactions you process each year.

Level 4

Small businesses — those processing less than 20,000 e-commerce transactions and less than 1 million other transactions annually — fall into this category. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).

Level 3

Mid-sized companies generating between 20,000 and 1 million transactions annually require an annual risk assessment using the appropriate SAQ.

Level 2

Companies at this level handle between 1 million and 6 million transactions annually. A PCI SAQ must be completed each year.

Level 1

Big-box stores and other major corporations with a minimum of 6 million transactions per year must conduct an annual internal audit with a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required for businesses at all four levels.

Whatever your level, TransFirst’s Transaction Express® can reduce your PCI burden and help you achieve and maintain compliance by enabling you to easily accept payments with maximum security. This web-based payment gateway’s secure processing platform is fully PCI compliant and ideally suited for merchants of all sizes.

Transaction Express’s features and services are designed to meet your unique needs and expectations. For example, through its tokenization service, Transaction Express’s hosted payment page eliminates the need to store card data altogether by sending back only minimal information such as transaction and reference IDs and an authorization code.

PCI Compliance Means Security

By fully complying with PCI DSS, you significantly decrease your risk of electronic data fraud that could seriously jeopardize or damage your business brand, reputation and finances. Just one data breach can cause a cascade of lost sales, cancelled accounts, destruction of business and community relationships, high-stakes lawsuits, insurance claims, and expensive fines and sanctions by individual payment brands.

As a merchant, you know that doing business is based on trust between you and your customers. Consumers who believe their sensitive credit or debit card information is safe with you are more likely to return and to refer other business your way. PCI compliance helps establish that important level of trust and feeling of security.

The protective measures outlined in PCI DSS are an investment in the global battle against electronic fraud. PCI compliance ensures safeguarded payment card data with every transaction. Isn’t that what you and your customers expect and deserve?

When you’re ready to achieve and maintain PCI compliance, TransFirst can help. Complete the form above and one of our representatives will answer your questions and set you on the path to PCI compliance.

200,000

Richard Hari in your Colorado credit card customer service operation is one the best people I've ever dealt with in any type of business. I had a problem with credit card processing for my very, very small business. I was told I would get a call in two business days. Richard called in about 20 minutes. He was patient and took time to walk me through the process. Great job and a credit to TransFirst.

- Online Retailer | Bruceton Mills, WV

Two key things here. #1 – This program has saved me hundreds of dollars a year, and #2 – the service. The last time I called my question was answered in one simple phone call. We didn't take credit cards for a long time due to the expense ... I am so glad I took the time to listen when you came in because this is so much better.

- Restaurant Owner | Palm Bay, FL

TransFirst has done everything they said they would do, and they do it every month with service and savings. We are saving very big dollars each month, so we are very happy with the service.

- Police Benevolent Association | McDonough, GA

I'm writing to thank you for the superb customer support you've offered us in the setting up of our account. Your prompt replies to my questions, even through your illness, speaks very well of your organization and your own sense of responsibility. I would ask you to kindly forward this note to your supervisor, because I want him/her to appreciate your 'above and beyond' approach to your clients.

- Vision Care Provider | Windham, VT

I am extremely happy with TransFirst! The Transaction Express saves me hours a week with the ease of transactions and the up-to-date reporting. The service team is knowledgeable and eager to help. The best part, though, is the savings. Patrick made it so easy to switch merchant accounts. I wish I would have done it years ago!